Beware of Network Sniffers

I'm really enjoying reading Jesper Johansson and Steve Riley's book Protect Your Windows Network. It's the best book on Windows security by far that I've seen, though it's aimed at a fairly high-end audience and is a bit lean on nitty-gritty "how to" stuff. Conceptually though, their treatment of the subject is masterful and their use of humor and the stories they tell from their own experience make it a real page-turner. Once you start you don't want to put it down.

One section that intrigued me is titled "The Myth of Network Sniffing." Hmm, sniffing is a myth? Shouldn't we be worried about hackers trying to sniff out sensitive information on our networks? Well, as Steve and Jesper point out, there are often far worse things to worry about than someone sniffing your network. For if someone is in a position to sniff traffic, it means they've probably taken control of one of your machines, which means they already have access to whatever information is stored on that machine (and probably any other machines that particular machine trusts or is trusted by). In fact, most hackers would rather go straight for the information actually stored on the compromised host rather than bother with installing sniffing software on it. Why is that?

Well, sniffing is actually a lot harder than Hollywood movies portray it to be. Imagine gaining clandestine access to a corporate network with a thousand nodes connected by a Gigabit Ethernet backbone. You're sitting in the server room with your laptop plugged into the span port of the backbone switch, and you have sniffing software installed on your laptop and your laptop's NIC is running in promiscuous mode. Ask yourself two questions: first, how long will it take for you to fill up your laptop's hard drive with captured packets? And second, how long will it take you to actually find something useful (like a password or other credentials or a MasterCard number) in all those captured packets? Then ask yourself something else: if you're standing in the server room of a company you want to hack, why on earth would you bother sniffing the network anyway? Why not just grab the hard drive from a server and run?

Risk Management

Everything in network security boils down in the end to risk management. You determine what risks your network faces, and then you act accordingly to protect the network within the boundaries of your allotted budget and time. While sniffing poses a danger to your network, so do rodents nibbling on cables in the plenum spaces of your building. Which are more of a threat? It depends -- is your building old and decrepit? Do employees tend to leave their lunch remains on the table at day's end? If either of these are the case, your best security investment might be to get a cat.

Either way, you need assess the amount of risk each threat (rodents vs. sniffing) poses for your network, and you need to assess this realistically if you are going to protect your network. Then once you've identified the threats your network faces, you need to prioritize them. Once they're prioritized, then you can start taking steps to mitigate the most serious threats while keeping an eye on less likely threats in case their likelihood increases.

Preventing Sniffing

Let's say you do identify sniffing as a realistic, potential threat to your network. What should you do? First, ask yourself why sniffing is a threat. Is it because the steps you've taken to protect the computers on your network aren't really very effective? Is it because your company's physical security is poor and you're actually afraid of someone social-engineering themselves past the receptionist and into the server room where they can tap into a switch? Is it because you're overwhelmed by your new job as administrator and the network has grown over the years as the company expanded and you're not really sure just what's out there on your network? Like, maybe there are some LAN segments using hubs instead of switches, and by the way that computer over there wasn't there yesterday, I wonder who it belongs to? Hmm . . .

Actually, the way to prevent sniffing on your network is pretty straightforward, just follow these steps:

Make sure your network assets are physically secure. If you don't have physical security, you don't have any security.

Make sure you have a written security policy and that it's enforced. Even physical security won't mean anything if you don't have a policy behind it backing it up.

Make sure you know your network's assets, where every cable terminates and which computer or device every switch port connects to.

Make sure your hosts are protected using every means necessary. If the bad guy compromises one of your hosts, sniffing is probably the least of your worries.

Encrypt all traffic on your internal network using IPSec. Just try and sniff that. Which of course means that you can't use sniffers for legitimate reasons on such networks, like troubleshooting network problems (you win some, you lose some).

Finally, you may want to consider setting up a bait machine -- a computer that only you know about. Give this machine a static or reserved IP address but don't create any records for it in the DNS server database. Then if someone is maliciously sniffing your network and they come across this machine, they're likely to try to run a DNS lookup on it to find out its hostname. Checking your DNS logs periodically for lookups for this machine's IP address could signal a sniffing attack at work.